问题描述
The IAM role arn:aws:iam::accountb:role/testcRSS does not give you permission to perform operations in the following AWS service: Amazon S3. Contact your AWS administrator if you need help. If you are an AWS administrator,you can grant permissions to your users or groups by creating IAM policies.
我指的是aws提供的document,用于使用代码管道进行aws跨帐户部署,我是否需要配置除文档中提供的信息以外的任何内容?
与testcRSS角色相关的政策
{
"Version": "2012-10-17","Statement": [
{
"Action": [
"s3:Get*","s3:List*"
],"Effect": "Allow","Resource": "*"
}
]
}
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"kms:DescribeKey","kms:GenerateDataKey*","kms:Encrypt","kms:ReEncrypt*","kms:Decrypt"
],"Resource": [
"arn:aws:kms:us-east-2:AccountA:key/valuetest"
]
}
]
}
{
"Version": "2012-10-17","Action": [
"s3:Get*"
],"Resource": [
"arn:aws:s3:::AccountA bucket/*"
]
},{
"Effect": "Allow","Action": [
"s3:ListBucket"
],"Resource": [
"arn:aws:s3:::AccountA bucket"
]
}
]
}
帐户A上的桶策略
{
"Version": "2012-10-17","Id": "SSEAndSSLPolicy","Statement": [
{
"Sid": "DenyUnEncryptedobjectUploads","Effect": "Deny","Principal": "*","Action": "s3:PutObject","Resource": "arn:aws:s3:::AccountAbucket/*","Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},{
"Sid": "DenyInsecureConnections","Action": "s3:*","Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},{
"Sid": "","Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},"Action": [
"s3:Get*","s3:Put*"
],"Resource": "arn:aws:s3:::AccountAbucket/*"
},"Action": "s3:ListBucket","Resource": "arn:aws:s3:::AccountAbucket"
},{
"Sid": "Cross-account permissions","Principal": {
"AWS": "arn:aws:iam::AccountB:role/testcRSS"
},"Resource": "arn:aws:s3:::AccountAbucket/*"
}
]
}
角色testcRSS的信任关系
{
"Version": "2012-10-17","Statement": [
{
"Sid": "","Principal": {
"Service": [
"codedeploy.amazonaws.com","ec2.amazonaws.com"
]
},"Action": "sts:AssumeRole"
}
]
}
解决方法
问题是添加到帐户B 的KMS密钥不正确,需要此密钥才能访问帐户A 上的s3存储桶。 KMS密钥应与帐户A
上附加到代码管道的KMS密钥相同